Headline

GHSA-9v3w-w2jh-4hff: HashiCorp Vault and Vault Enterprise vulnerable to user enumeration

HashiCorp’s Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

1 year ago

ghsa

Open in Source

#vulnerability #git #ldap #auth

HashiCorp Vault and Vault Enterprise vulnerable to user enumeration

Moderate severity GitHub Reviewed Published Aug 1, 2023 to the GitHub Advisory Database • Updated Aug 1, 2023

Related news

Red Hat Security Advisory 2024-7599-03

Red Hat Security Advisory 2024-7599-03 - Red Hat OpenShift Container Platform release 4.16.16 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, denial of service, integer overflow, and out of bounds write vulnerabilities.

27 days ago

Packet Storm

Open in Source

#vulnerability #web #red_hat #dos #js #kubernetes #rce #ldap #auth #rpm #ssl

CVE-2023-3462: HCSEC-2023-24 - Vault's LDAP Auth Method Allows for User Enumeration

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

1 year ago

CVE

Open in Source

#vulnerability #ldap #auth